Schneider Electric has a new version to handle path traversal and missing authentication for critical function vulnerabilities in its IGSS (Interactive Graphical SCADA System), according to a report with CISA.
Successful exploitation of these remotely exploitable vulnerabilities, which Trend Micro’s Zero Day Initiative (ZDI) reported to CISA, could result in unauthorized access to sensitive data and functions. Versions 14 and prior using the service IGSSupdate suffer from the issues.
In one vulnerability, the affected product could allow a remote unauthenticated attacker to read arbitrary files on the device. CVE-2020-7478 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.
In addition, the affected product could allow a local user to execute processes that otherwise require escalation privileges when sending local network commands to the IGSS update service.
CVE-2020-7479 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.8.
The product sees use mainly in the commercial facilities, critical manufacturing, and energy sectors. It also sees action on a global basis.
No known public exploits specifically target these vulnerabilities.
Schneider Electric has provided IGSS14 Version 22.214.171.12409 to address these vulnerabilities. Users are recommended to update to IGSS Version 14.
Alternatively, the following workarounds and mitigations end up applied to reduce risk:
- Disable the IGSS Update service when it is not required installing updates using the service
- Keep the infrastructure offline and do not allow Windows login and network access for untrusted people and sources
For more information, click on the Schneider Electric security notification.